Do you control how your employees use your company’s Cloud applications? Can you detect abnormal activities that indicate a compromised account or a security policy violation? Do you have solutions to solve Cloud security incidents? Can you guarantee the protection of each mobile device? If you do not have the correct answers yet, find out below how Datanet Systems can help you meet all these critical requirements.
The mobility and intensive use of Cloud services generate increasing security concerns for companies. Recent studies, such as the one conducted by Ponemon Institute “The State of Endpoint Security Risk in 2017” highlights two critical issues. On the one hand, 70% of organizations face an increase in security risks at the level of end-user equipment. On the other hand, companies’ confidence in endpoint antivirus solutions is shrinking: 4 out of 5 companies have already replaced AV solutions last year or completed their capabilities with other protection and detection applications.
The situation gets complicated with the rapid increase in the level of use of SaaS in organizations, as well as a number of Cloud applications – whether authorized or not – by their employees. Almost two-thirds of these applications require more permissions than they need and the vast majority of users grant them unlimited rights without awareness of the risks.
The trouble maker Pokemon
Remember Pokemon Go? The game created by the Niantic company managed to gather 100 million users worldwide (a result for which Facebook worked for almost four and a half years). Niantic’s market success also affected the enterprise environment – a study in 2016 shows that 44% of companies had employees playing Pokemon Go, with an average of 5% “users” (1 out of 20 employees). The problem was not a decrease in productivity, but the fact that the application’s initial version required users to grant them excessive rights that allowed, for example, to see, modify and download the files stored and shared in the collaborative suite Google. This is because the application uses an Open Authorization (OAuth) login protocol, which is a “Login with Google Account” button that most users who want to shorten the login process have pressed without any reservation.
A considerable number of companies were not aware of the related risks when their employees installed and used Pokemon Go on their personal mobile devices, but also on their work devices. And that’s not because the OAuth protocol issues were not known, but because they did not have control over what Cloud users are doing, what applications they use, what data they share, etc.
The protection pattern evolves rapidly
The need to monitor and control end-user activity outside of the physical perimeter of companies has become critical at the moment, because data and applications are moving more and more into the Cloud. Gartner estimates that this year 25% of company data traffic will bypass classical perimeter protection systems and the volume of data created directly in the Cloud – which may have never gone through the company’s on-premises infrastructure – is growing. Cloud-to-Cloud traffic is also generated by applications that “talk” directly between them.
Or, in such cases, perimeter protection is no longer sufficient. Let’s take a practical example: how efficient do you think is a Data Loss Prevention application installed on-site, when it comes to data stored, operated and shared in CRM or in a Cloud-based collaboration application? It’s not a rhetorical question, but rather an applied one, which you will have to find the answer for, because the new personal data protection regulation (GDPR) will force you to know permanently what data is stored and where, who has access to it, what operations can be done, how is it protected, how it is encrypted, etc.
As one of four users confessed openly confess that they knowingly violate Cloud security rules, what are the real chances of success in an audit? When 82% of company employees admit that when working outside the company they do not use the VPN, do you think you can provide effective protection for devices that work against malware threats and compromised domains?
CloudLock ensures Cloud security
Datanet Systems’ response to these highly-extremely up-to-date questions for organizations is based on Cisco CloudLock and Umbrella solutions that work in a complementary way. CloudLock discovers what accounts are compromised and what activities and applications have an increased risk potential, by analyzing user behavior and traffic generated by the equipment they use. Cisco’s solution will help you quickly detect data leaks, compliance and security policy violations, and unauthorized or high-risk applications.
To meet all these requirements, CloudLock uses advanced machine learning and user behavior analysis mechanisms. For example, the Cisco application may signal the possible compromise of a user account if: 1) its logging sessions are made in a short time from remote locations, or 2) if the file’s download volume exceeds the average value, or 3) if it has a very intense activity outside regular working hours, or if it detects several unsuccessful login attempts.
Such situations may indicate a risk potential, but security departments are assaulted on a monthly basis by thousands of security alerts. Therefore, the challenge is how you decide whether a suspicious activity really needs to be investigated or is just an atypical behavior that can be ignored. For this, CloudLock collects data from all Cloud applications and uses the Cloud Threat Funnel methodology to monitor user behaviors, filter and detect what is abnormal, analyze anomalies, and identifies real threats, if it detects truly suspicious activities. The application is capable of automatically detecting sensitive data exposures and leakages and also predefined out-of-the-box Cloud security breaches. Datanet specialists can also help you set up rules specific to your company’s business. You can, for example, set rules for specific projects, implement drill down analyzes when discovering exposed information, define actions (quarantine of a file, sending a notification to the end-user, creating and issuing an alert to the administrators, revoking the rights of an application based on the risk rating provided by Integrated Threat Intelligence).
Complementary Umbrella protection
Cisco Umbrella, the second component of Datanet’s response, completes CloudLock’s protection on another level. Umbrella is a Cisco solution delivered as a Cloud service that acts on two levels:
- Provides protection for both the infrastructure of organizations and for mobile users, blocking threats before they affect end-points and / or enter the network;
- Prevents system compromise and data leakage across any port or protocol, regardless of whether the infections occurred inside or outside of the company network, or whether the malware is trying to establish connections with the command and control servers through DNS requests or IP connections.
For this, the Cisco solution analyzes DNS requests and gives them access based on the results of the analysis. The Cisco Platform analyzes daily approximately 100 billion domain addresses, URLs, IPs, and high-risk files, analyzes that are correlated in real-time with over 11 billion security events that have already taken place.
As we have shown above, the Cisco solution does not only proactively protect but also retroactively – if one or more users have accessed a compromised domain before it has been locked, they are quickly identified and can be automatically quarantined and/or Umbrella blocks any other DNS request.
For example, when an endpoint is already infected with a Ransomware threat, it tries to connect to the command and control servers using Domain Generation Algorithms. DGA is an algorithm in which the domain name changes constantly, with a very high frequency, which makes it difficult to block connection requests. By integrating with Cisco AnyConnect, Umbrella stops all these requests, limiting the damage and threat spreading to the network.
Improved Cloud security
A higher level of security can be achieved by integrating Umbrella with Cisco Advanced Malware Protection (AMP) for Endpoints, which blocks known malware threats at the initial inspection and uses Sandbox technologies(via Threat Grid) to analyze unknown file behavior. AMP for Endpoints continuously monitors, analyzes and records the activity of endpoint files and their route to the organization, in order to detect abnormal behaviors and to issue back-up alerts, providing complete information on the context in which a piece of equipment has been compromised.
The Cisco solution will soon incorporate a new feature – AMP Visibility, an “Incident Response” tool that will simplify and speed up the security incident investigation process. Visibility can collect information from several security products implemented in the company, information that can be accessed from a single control point. Practically, the functionality allows you to perform detailed queries – by: device, MAC, user name, Secure Hashing Algorithm, domain, IP, etc. – the search is done in all the applications used. For example, if Umbrella signals an event, it is no longer necessary to access the application separately, then the Investigated module, and then search for information about a particular domain. Access can be done directly from AMP Visibility. The result – increasing the reaction speed in the event of a security incident, by reducing the investigation time.
Cisco CloudLock and Umbrella work in a complementary way, providing a level of protection that can be enhanced by integrating with other third-party security applications as well as other Cisco solutions. Datanet specialists can help you deploy, configure, and customize these solutions to best meet company requirements and provide full protection.
Datanet Systems is the main Cisco partner in Romania with the largest local team of certified specialists and an extensive portfolio of security projects implemented in critical infrastructure. For more information, please contact firstname.lastname@example.org.